2016-03-23 14:32:03 +03:00
#!/bin/bash
#
# Copyright (C) 2014 Alexander Larsson <alexl@redhat.com>
lib: Validate metadata structure more consistently during pull
Previously we were doing e.g. `ot_util_filename_validate()` specifically inline
in dirtree objects, but only *after* writing them into the staging directory (by
default). In (non-default) cases such as not using a transaction, such an object
could be written directly into the repo.
A notable gap here is that `pull-local --untrusted` was *not* doing
this verification, just checksums. We harden that (and also the
static delta writing path, really *everything* that calls
`ostree_repo_write_metadata()` to also do "structure" validation
which includes path traversal checks. Basically, let's try hard
to avoid having badly structured objects even in the repo.
One thing that sucks in this patch is that we need to allocate a "bounce buffer"
for metadata in the static delta path, because GVariant imposes alignment
requirements, which I screwed up and didn't fulfill when designing deltas. It
actually didn't matter before because we weren't parsing them, but now we are.
In theory we could check alignment but ...eh, not worth it, at least not until
we change the delta compiler to emit aligned metadata which actually may be
quite tricky. (Big picture I doubt this really matters much right now
but I'm not going to pull out a profiler yet for this)
The pull test was extended to check we didn't even write a dirtree
with path traversal into the staging directory.
There's a bit of code motion in extracting
`_ostree_validate_structureof_metadata()` from `fsck_metadata_object()`.
Then `_ostree_verify_metadata_object()` builds on that to do checksum
verification too.
Closes: #1412
Approved by: jlebon
2018-01-12 17:15:21 +03:00
# Copyright (C) 2018 Red Hat, Inc.
2016-03-23 14:32:03 +03:00
#
2018-01-30 22:26:26 +03:00
# SPDX-License-Identifier: LGPL-2.0+
#
2016-03-23 14:32:03 +03:00
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
set -euo pipefail
. $( dirname $0 ) /libtest.sh
lib: Validate metadata structure more consistently during pull
Previously we were doing e.g. `ot_util_filename_validate()` specifically inline
in dirtree objects, but only *after* writing them into the staging directory (by
default). In (non-default) cases such as not using a transaction, such an object
could be written directly into the repo.
A notable gap here is that `pull-local --untrusted` was *not* doing
this verification, just checksums. We harden that (and also the
static delta writing path, really *everything* that calls
`ostree_repo_write_metadata()` to also do "structure" validation
which includes path traversal checks. Basically, let's try hard
to avoid having badly structured objects even in the repo.
One thing that sucks in this patch is that we need to allocate a "bounce buffer"
for metadata in the static delta path, because GVariant imposes alignment
requirements, which I screwed up and didn't fulfill when designing deltas. It
actually didn't matter before because we weren't parsing them, but now we are.
In theory we could check alignment but ...eh, not worth it, at least not until
we change the delta compiler to emit aligned metadata which actually may be
quite tricky. (Big picture I doubt this really matters much right now
but I'm not going to pull out a profiler yet for this)
The pull test was extended to check we didn't even write a dirtree
with path traversal into the staging directory.
There's a bit of code motion in extracting
`_ostree_validate_structureof_metadata()` from `fsck_metadata_object()`.
Then `_ostree_verify_metadata_object()` builds on that to do checksum
verification too.
Closes: #1412
Approved by: jlebon
2018-01-12 17:15:21 +03:00
echo '1..4'
2016-03-23 14:32:03 +03:00
setup_test_repository "bare"
cd ${ test_tmpdir }
mkdir repo2
2017-03-24 17:35:59 +03:00
ostree_repo_init repo2 --mode= "bare"
2016-03-23 14:32:03 +03:00
${ CMD_PREFIX } ostree --repo= repo2 --untrusted pull-local repo
find repo2 -type f -links +1 | while read line; do
assert_not_reached "pull-local created hardlinks"
done
echo "ok pull-local --untrusted didn't hardlink"
# Corrupt repo
for i in ${ test_tmpdir } /repo/objects/*/*.file; do
2016-03-31 16:07:01 +03:00
# make sure it's not a symlink
if [ -L $i ] ; then
continue
fi
2016-03-23 14:32:03 +03:00
echo " corrupting $i "
echo "broke" >> $i
break;
done
rm -rf repo2
mkdir repo2
2017-03-24 17:35:59 +03:00
ostree_repo_init repo2 --mode= "bare"
2016-03-23 14:32:03 +03:00
if ${ CMD_PREFIX } ostree --repo= repo2 pull-local repo; then
echo "ok trusted pull with corruption succeeded"
else
assert_not_reached "corrupted trusted pull unexpectedly succeeded!"
fi
rm -rf repo2
2017-03-24 17:35:59 +03:00
ostree_repo_init repo2 --mode= "bare"
2016-03-23 14:32:03 +03:00
if ${ CMD_PREFIX } ostree --repo= repo2 pull-local --untrusted repo; then
assert_not_reached "corrupted untrusted pull unexpectedly failed!"
else
echo "ok untrusted pull with corruption failed"
fi
lib: Validate metadata structure more consistently during pull
Previously we were doing e.g. `ot_util_filename_validate()` specifically inline
in dirtree objects, but only *after* writing them into the staging directory (by
default). In (non-default) cases such as not using a transaction, such an object
could be written directly into the repo.
A notable gap here is that `pull-local --untrusted` was *not* doing
this verification, just checksums. We harden that (and also the
static delta writing path, really *everything* that calls
`ostree_repo_write_metadata()` to also do "structure" validation
which includes path traversal checks. Basically, let's try hard
to avoid having badly structured objects even in the repo.
One thing that sucks in this patch is that we need to allocate a "bounce buffer"
for metadata in the static delta path, because GVariant imposes alignment
requirements, which I screwed up and didn't fulfill when designing deltas. It
actually didn't matter before because we weren't parsing them, but now we are.
In theory we could check alignment but ...eh, not worth it, at least not until
we change the delta compiler to emit aligned metadata which actually may be
quite tricky. (Big picture I doubt this really matters much right now
but I'm not going to pull out a profiler yet for this)
The pull test was extended to check we didn't even write a dirtree
with path traversal into the staging directory.
There's a bit of code motion in extracting
`_ostree_validate_structureof_metadata()` from `fsck_metadata_object()`.
Then `_ostree_verify_metadata_object()` builds on that to do checksum
verification too.
Closes: #1412
Approved by: jlebon
2018-01-12 17:15:21 +03:00
cd ${ test_tmpdir }
tar xf ${ test_srcdir } /ostree-path-traverse.tar.gz
rm -rf repo2
ostree_repo_init repo2 --mode= archive
if ${ CMD_PREFIX } ostree --repo= repo2 pull-local --untrusted ostree-path-traverse/repo pathtraverse-test 2>err.txt; then
fatal "pull-local unexpectedly succeeded"
fi
assert_file_has_content_literal err.txt 'Invalid / in filename ../afile'
echo "ok untrusted pull-local path traversal"